Security Job Titles

I was seeing job postings the other day through one of my email blasts that I receive and it got me thinking. Who comes up with these job titles? When I worked for a small CPA firm and I was allowed to choose my own title, I chose "LAN Administrator". It fit my job fairly well, I was responsible for the servers, the network, the PCs, etc. I moved to the helpdesk, and for a while I was a "Helpdesk Anaylst". A title that also makes complete sense. After a year or so though, HR decided to change our titles in IT. I got changed from the "Helpdesk Analyst" to a "Systems Software Engineer Analyst". I had never engineered anything but a good case of loathing for users at that point.

When I moved to the Security Administration area, my title changed to a "Systems Software Engineer Specialist". Again, complete and utter nonsense. I was a security administrator. Create accounts, grant rights, revoke rights, delete accounts, rinse, repeat. The only thing I was specializing in was creating copy/paste emails to send to users who were impatiently waiting to get Microsoft Visio.

Within a couple years I get promoted to a "IT Security Specialist". Hmm...ok, at least this is a little closer. We were no longer called "IT Security" but working in Information Security, I at least had "security" in my title! Then HR comes in and says they are going to change things again. They were going to have "HR Titles" and "Internal Titles" because HR titles needed to match other jobs in the industry while our internal titles would closer match what we actually do. I was skeptical and it turns out it was warranted. It took them until I was promoted again to finally take hold. My HR title became "IT Security Sr Specialist", while my internal title became "Vulnerability Management Senior Specialist". While I'm trying to get more into the Vulnerability arena, it's a very small part of what I do. I still do governance of the Security Administration area, I do some vulnerability scans, some security awareness, and a host of other "who can we get to do this" tasks. Someone who is a level above me at our company is listed as a "IT Security Sr Tech Specialist" yet my job is much more technical than that person.

I considered consulting our HR group on this issue but I didn't think I would get very far, so I reached out to my friend @HackerHuntress and asked for her opinion on my confusion. She talks with job seekers as well as hiring managers on a daily basis. Her response cemented my opinion that job titles are really not geared towards what a user does and more on being able to gauge a salary band the user can fit into.

I asked her a couple questions including if she saw the title discrepancy and if so where, any tricks for our friends out there trying to find a job and deciphering the job postings, and if she thinks HR would ever get in the game and match titles to what we actually do. Her response was very informative in that she has seen the job title game played mostly at companies with internal security practices. (Think F-500 companies that do their own security but don't do security as a service). Her comment to this was "Most companies, though, go the “security specialist” or “security analyst” route. In my experience a security analyst can be anything from a firewall engineer to a QSA." She doesn't hold out any hope that HR will ever get to the point that they are lining up with what the security individual is doing because most don't know what the user's responsibilities even are.

On the topic of how to assist our friends still looking for jobs, she said to talk to recruiters & hiring managers. Getting as close to the person as you can who is doing the hiring will help you in determining what you are getting into at that company. You may be listed as the 'Security Guru' in a large company but if all you're doing is making sure everyone is swiping their ID badge as they walk in, it may not be the job for you.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.